EU, Norway: Two years is too long to keep search data

European governments are becoming increasingly concerned about Google's data …

Google's data retention policies are coming under scrutiny by European governments. According to a letter sent to the search giant by the EU's Article 29 Data Protection Working Party that was seen by the Financial Times, the EU is concerned that Google has failed to fulfill "all the necessary requirements on data protection."

At issue is the search information gathered and retained by Google, which is currently retained for an unknown amount of time. The company announced in March that it would start to anonymize IP address and cookie information 18 to 24 months after the log files are generated. Its new anonymization program is not slated to begin until the end of 2007, however, and could be delayed further.

Google's decision to move toward anonymizing logs was welcomed by some privacy advocates, but the Article 29 Working Party believes that two years is still too long and wants to know why the company needs to hold on to the information for that length of time. Norway, which is not a EU member, has begun its own investigation into Google, resulting in the company's global privacy counsel Peter Fleischer paying a call on the Norwegian Data Inspectorate late last year.

Google has vigorously defended its data retention policy, saying that it is necessary to fine-tune and improve Google's services. "With logs, we can improve our search results: if we know that people are clicking on the #1 result we're doing something right, and if they're hitting next page or reformulating their query, we're doing something wrong," said Fleischer earlier this month. IP addresses are needed in order to strengthen security, says Google, which believes that their immediate deletion would lead to increased problems with phishing, scripting attacks, and spam.

Google is also concerned with complying with data retention laws, although very few of those laws are on the books. The biggest such law, the EU Data Retention Directive, was passed in late 2005, and specifies a period of six to 24 months. The Directive is not yet in force; member nations have until 2009 to put it into effect.

A couple of weeks ago, Fleischer said that "Since these laws do not yet exist, and are only now being proposed and debated, it is too early to know the final retention time periods, the jurisdictional impact, and the scope of applicability. It's therefore too early to state whether such laws would apply to particular Google services, and if so, which ones." The investigations could mean that the European data retention periods end up being shorter than Google's.